-
Notifications
You must be signed in to change notification settings - Fork 73
Expand file tree
/
Copy pathaudit.toml
More file actions
27 lines (27 loc) · 1.56 KB
/
Copy pathaudit.toml
File metadata and controls
27 lines (27 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# RUSTSEC-2026-0049: CRL revocation checking bug in rustls-webpki 0.101.7.
#
# Background: CRL (Certificate Revocation List) checking is an optional TLS
# feature where a client fetches a list of revoked certificates from URLs
# embedded in the cert itself, to confirm it hasn't been invalidated since
# issuance. This is distinct from normal certificate validation.
#
# The bug: when a cert lists multiple CRL distribution point URLs, only the
# first URL is checked; the rest are silently ignored. This matters only when
# CRL checking is enabled AND the UnknownStatusPolicy is set to Allow (meaning
# "if I can't determine revocation status, accept the cert anyway"). With that
# combination, a revoked certificate from a compromised CA could be accepted.
#
# Why this does not affect Commit-Boost: the vulnerable code path is never
# reached because no code in this codebase enables CRL checking at all.
# TLS is used in four places: (1) relay communication via reqwest with
# rustls-tls uses default CA validation with no CRL configured; (2) the signer
# server presents a TLS certificate but does not check client revocation;
# (3) the signer client pins a single self-signed certificate via
# add_root_certificate — CRL is irrelevant for self-signed certs; (4) the Dirk
# remote signer uses mTLS with a custom CA but again no CRL. In all cases the
# buggy CRL code in rustls-webpki is never invoked.
#
# Blocked on sigp/lighthouse upgrading past v8.0.1 without a compilation
# regression (SseEventSource missing cfg guard in eth2 error.rs).
[advisories]
ignore = ["RUSTSEC-2026-0049"]